Personal data is an incredibly important resource, however, it’s now being harvested and distributed at an alarming rate. It’s clear that something needs to be done to regulate its management. Companies that collect, store and use data need to be accountable and transparent.

Cue the new EU General Data Protection Regulation (GDPR), effective from 25 May 2018 which aims to protect the EU citizen’s personal data in today’s digital world.

What is personal data?

Personal data is what can be used to directly or indirectly identify a person – a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. The new regulation is all about putting the power over personal data back in the hands of the individual.

How will this affect marketing?

With marketing and PR, this changes the way we handle data. Now just weeks away to the May deadline, it’s time to future proof your business. Failure to comply will see companies faced with fines of up to €10m or 2% of global turnover. The maximum fine is up to €20m or 4% of global annual turnover.

Here are some additional important things you need to consider below.

Legal Grounds for Data Processing

Within GDPR, there are six legal and legitimate grounds for processing personal data:

1. Consent
2. Contract
3. Legal Obligation
4. Vital Interests
5. Public Interest
6. Legitimate Interest

Consent and Management

Consent, as outlined above, is defined as a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data”.

In simple language, consent must be given and not assumed.

For example:

• If you have a monthly newsletter, you need to ensure that every person on the list gave an unambiguous indication that they agreed to the processing of personal data relating to him or her.
• Silence, pre-ticked boxes or inactivity does not constitute as consent.
• You now need to ask potential sign-ups to specifically opt-in to newsletters by ticking the sign-up box.
• If you have doubts that your existing database meets the new guidelines, then you need to consider requesting their consent.

Rights and Access

Under EU GDPR, data subjects also have a number of specific rights, including the right to access their personal data, rectify data, erase their dare if it’s no longer necessary for purpose and have the right to be forgotten, and have their personal data removed from indexes, i.e. Google.

This now means that people have greater access and more control over their personal data. It is a company’s responsibility to make sure that your users can easily access their data and remove consent for its use. Companies need to have guidelines in place to ensure this is achievable.

Focus and Need

All data now collected under GDPR must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Any data collected by the organisation deemed unnecessary will constitute a breach of GDPR.

Tips To Prepare For GDPR

Investigate: Instigate a GDPR strategy in your business, if one does not exist.

Document: Know what personal data your organisation holds or processes. Identify where it came from and who you share it with.

Review: Look at your current data protection strategies. Address where changes can be made. Do you have a procedure in place to deal with access requests?

Appoint: A Data Protection Officer is required for organisations conducting mass surveillance or mass processing of special categories of data.

ARTICLE BY: MARIA TRACEY 

Post by Susie Horgan

Susie founded Springboard in 2011, and has developed the business into a leading, director-led communications agency. She has worked for over 20 years in senior marketing and public relations roles.